Mass surveillance is Being Undermined by the ‘Snowden Effect’

images?q=tbn:ANd9GcSaVZsC4O01k2zO_JsxeOSUw3QZru5SN-hydKPZFLwR7c4KiHkh

Alex Krasodomski is a researcher at the Centre for the Analysis of Social Media at Demos

We are in the middle of a Crypto war again. Perhaps we have always been in the middle of a Crypto war. Since the 70s, the right and ability to encrypt private communications has been fought over, time and again. Here in the UK, Cameron’s re-election has prompted reports of a ‘turbo-charged’ version of the so-called ‘Snoopers’ Charter’, extending further the powers of surveillance that the whistleblower Edward Snowden described as having ‘no limits’.

Two nights ago, the US Patriot Act expired. With it, at least officially, elements of the NSA’s bulk surveillance programme expired too. The law was passed in the wake of 9/11, in order to ‘strengthen domestic security’ and ‘broaden the powers of law-enforcement agencies with regards to identifying and stopping terrorists’. Section 215 of the Act had allowed the NSA to collect mobile phone data on millions of Americans. For the time being, that provision has gone. In the same week, the UN published a report saying encryption is ‘crucial for human rights’.

But the law is only half the story. Privacy advocates were, of course, cautious not to overstate the significance of the act’s suspension. But behind this caution, their successes are far more extensive than the symbolic demise of the Patriot Act. From the perspective of surveillance, the damage has already been done.

The ‘Snowden effect’, named after the whistleblower responsible for outing government surveillance in the US and UK, has brought more companies and technologists to the fight. Their purpose? To provide privacy tools that are powerful, open-source and accessible to the masses. And these groups are winning. As fears over our privacy continue to grow and the government talks about further extending surveillance capability, ordinary people are turning to these tools. What’s more, for the first time, they are beginning to be adopted on a massive scale.

Scale is a significant change, and a significant challenge to security services. Take Tor. Tor is a web browser-cum-network that scrambles your connections and makes your internet browsing more difficult to track. Both Tor and other publicly-available encryption tools always come with a caveat. Although frequently very powerful, especially in combination with one another, they are not perfect. With enough work and with the resources at the disposal of government organisations, a single user’s communications are at risk: the sheer firepower that the security services can use to break into secure channels means that a single suspect is up against it.

This is probably a good thing. If we believe our security services should have the resources to protect us from those who would plan acts of terrorism, for example, then they must be able to intercept the communications of suspects under investigation. Isis advise use of encryption to its supporters in order to protect their identities and whereabouts. Anders Breivik wrote a blog on it. If a suspect was under investigation we would rightly expect MI5 to use wiretaps and human surveillance, after all. Digital communications should be no different.

But what the mass uptake of this kind of software threatens is mass surveillance. Cracking one encryption key is difficult but possible. Cracking millions is a different proposition. Mass uptake of encryption and of VPNs – virtual private networks designed to hide your identity – is anathema to dragnet collection of data.

Take instant messaging, for example. It is estimated that the 700m users of the app WhatsApp currently send thirty billion messages a day. This alone poses a real challenge to those calling for those messages to be somehow ‘read’ and analysed; how on earth do you read 350,000 messages a second? Over the past few years the Centre for the Analysis of Social media at Demos has done a lot of work in partnership with the University of Sussex on ‘Natural Language Processing’, the science of teaching computers to find meaning in the words we use. Conclusion: it isn’t easy. Algorithms are never perfect, and they go out of date quickly as the way we speak changes.

But now, WhatsApp on Android is end-to-end encrypted, with the possibility of extending this to iOS. Thirty billion encrypted messages a day on one platform alone. True, the levels of encryption provided to a single user under investigation won’t stand up to security service surgery, but they will provide a strong barrier to understanding this data in bulk.

WhatsApp is owned by Facebook. Today, Facebook announced the site would allow its users to encrypt emails sent from the site to their personal accounts. It already provides a ‘dark web’ link which allows access through Tor. Whether its users will take advantage of this to increase their levels of security isn’t clear, but it is tacit approval of encryption from one of the biggest technology companies on the planet. And it isn’t just encrypted communications that are becoming more mainstream.

Hola is a peer-to-peer network. It claims to ‘provide everyone on the planet with freedom to access all of the Web’. Put simply, when you use it, your connection is routed through somebody else’s computer, and when you’re not using it, your computer is offered to others for the same purpose. It is wildly popular among those looking to dodge restrictions placed on, say, television shows. Recent estimates place its use at fifty million worldwide.

Hola has been the subject of some controversy of late: above all, they weren’t quite being straight up about the risks of letting somebody else use your internet connection. Nevertheless, it is the first example of a network that is both very difficult to monitor and censor that has really hit the mainstream by offering a slick and desirable service. The much more ethically-sound and established Tor browser has less than a tenth of its userbase, but is also growing. The Ethereum project is a similar attempt to decentralise the internet and take it out of the control of the government and big companies, making it more private and impossible to censor. It raised $12 million in crowd-funded support.

What this means for the security services, and our own security, is difficult to say. The UN has recognised the vital role these tools play in protecting those at risk of oppression. Human rights activists living under government oppression, for example, or citizens looking to bypass government censorship all rely on these tools daily to avoid persecution. In our recent Demos report with my colleague Jamie Bartlett we argue that there is a balance that must be struck in dealing with this kind of powerful technology.

But lack of dialogue between governments and cryptographers, the no-man’s land between the two sides of this crypto war, is deafening. As long as the security services remain silent and Snowden keeps talking, encryption and moves to protect private communication on the internet will accelerate. It is time the government joined the debate, not as enemies of privacy, but as level-headed, publicly accountable figures whose job it is to protect us from those who would do us harm.

Spectator: http://ow.ly/NRX6b 

Alex Krasodomski is a researcher at the Centre for the Analysis of Social Media at Demos. He can be found tweeting @akrasodomski

« Cyber Vulnerability Report 2015
NSA Surveillance Reform - Snowden’s Vindication. »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

WEBINAR: 2024 and Beyond: Top Six Cloud Security Trends

WEBINAR: 2024 and Beyond: Top Six Cloud Security Trends

April 4, 2024 | 11:00 AM PT: Join this webinar to find out about six emerging trends dominating the cloud cybersecurity landscape.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CGI Group

CGI Group

CGI is a leading IT and business process services provider. Services include IT consulting, Systems Integration, Application Development, Infrastructure, Business Processes, Digital IP.

Ethio-CERT

Ethio-CERT

National Cyber Emergency Readiness and Response Team of Ethiopia.

PakCERT

PakCERT

PakCERT is the national Computer Emergency Response Team for Pakistan.

AuthenTrend

AuthenTrend

AuthenTrend provide biometric authentication products to achieve high security with extreme ease-of-use for the user.

Ethoca

Ethoca

Ethoca is a secure network for card issuers and merchants to connect and work cooperatively outside the payment network in a unique and powerful way.

Blake, Cassels & Graydon (Blakes)

Blake, Cassels & Graydon (Blakes)

Blakes is one of Canada’s top business law firms serving national and international clients in specialist areas including cyber security.

Accredia

Accredia

Accredia is the national accreditation body for Italy. The directory of members provides details of organisations offering certification services for ISO 27001.

Two Six Technologies

Two Six Technologies

Two Six Technologies delivers R&D, innovation, productization and implementation expertise in cyber, data science, mobile, microelectronics and information operations.

Blumira

Blumira

Blumira provides comprehensive, hybrid cloud security monitoring and reporting for organizations of all sizes, enabling them to detect and respond to cloud security threats quickly and effectively.

Ampere Industrial Security

Ampere Industrial Security

Ampere is an industrial security firm. We specialize in industrial control systems (ICS) and operational technology (OT) security.

Summit 7 (S7)

Summit 7 (S7)

Summit 7 is a national leader in cybersecurity, compliance, and managed services for the Aerospace and Defense industry and corporate enterprises.

Trustaira

Trustaira

Trustaira is the first deep tech solution and service company in Bangladesh.

Beround

Beround

Beround is an IT consultancy firm specialized in software testing.

Digital Security Authority (DSA)

Digital Security Authority (DSA)

The establishment of the Digital Security Authority, which incorporates the National CSIRT, is crucial to significantly raising the cybersecurity posture and capabilities of Cyprus.

Ronet Cyber Security

Ronet Cyber Security

Ronet Cyber Security offers crypto forensics services for regulators, law enforcement, companies and individuals to ensure that your transactions are safe and secure.

Coastline Cybersecurity

Coastline Cybersecurity

Coastline Cyber is a cybersecurity consulting firm dedicated to helping organizations strengthen their security posture by reducing risks, mitigating threats, and protecting against attacks.